MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
SHA3-384 hash: 7d54b5b9ac2da9598b89f51c298545a931112db9804aa79981b042bf0394c7a040b14894835301d410fedc9903f02ba2
SHA1 hash: 6c421f13a590822d583689221569ceff31f2dbae
MD5 hash: 18df057d5952c7f5366335ff201849b5
humanhash: friend-early-muppet-fruit
File name:87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'011'712 bytes
First seen:2024-12-03 14:52:48 UTC
Last seen:2025-01-10 14:07:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:UL3gqH9oc5KKhWIpBwxgCeg+5LxcvFEgOX9BMN4h7A0:UL3gK9d5KKMIp9CT+5WagODRBd
Threatray 4'611 similar samples on MalwareBazaar
TLSH T1E02502603659DF26D9AA0FF40020E97207B56E8EB921E30A8ED9BCD77537BD01B54723
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe RemcosRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
425
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
Verdict:
Malicious activity
Analysis date:
2024-12-03 14:58:11 UTC
Tags:
rat remcos remote
Link:
https://app.any.run/tasks/d10b63b4-7753-462e-9f13-36aca3ab8991

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Nanocore-10025638-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674f1c57bc8c6beb30755645
Tags:
remcos virus gates msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nanocore packed packed packer_detected remcos
Link:
https://www.filescan.io/uploads/674f1b541b2b810869e0ffdc/reports/b9f415c1-52eb-41aa-9454-417f1696f048/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ee03ce6-c9b5-4103-9feb-dada8960e8d4
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1567561
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Drops executable to a common third party application directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567561 Sample: aDGx3jaI7i.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 43 geoplugin.net 2->43 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 9 aDGx3jaI7i.exe 3 2->9         started        13 Adobe.exe 2 2->13         started        15 Adobe.exe 2 2->15         started        17 Adobe.exe 2 2->17         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\aDGx3jaI7i.exe.log, ASCII 9->41 dropped 61 Contains functionality to bypass UAC (CMSTPLUA) 9->61 63 Contains functionalty to change the wallpaper 9->63 65 Contains functionality to steal Chrome passwords or cookies 9->65 69 3 other signatures 9->69 19 aDGx3jaI7i.exe 2 4 9->19         started        67 Injects a PE file into a foreign processes 13->67 23 Adobe.exe 13->23         started        25 Adobe.exe 13->25         started        27 Adobe.exe 15->27         started        29 Adobe.exe 17->29         started        signatures6 process7 file8 37 C:\ProgramData\Adobe\Adobe.exe, PE32 19->37 dropped 39 C:\ProgramData\...\Adobe.exe:Zone.Identifier, ASCII 19->39 dropped 57 Creates autostart registry keys with suspicious names 19->57 59 Drops executable to a common third party application directory 19->59 31 Adobe.exe 3 19->31         started        signatures9 process10 signatures11 71 Antivirus detection for dropped file 31->71 73 Multi AV Scanner detection for dropped file 31->73 75 Machine Learning detection for dropped file 31->75 77 Injects a PE file into a foreign processes 31->77 34 Adobe.exe 3 14 31->34         started        process12 dnsIp13 45 104.250.180.178, 49704, 7902 M247GB United States 34->45 47 geoplugin.net 178.237.33.50, 49713, 80 ATOM86-ASATOM86NL Netherlands 34->47
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-10-14 10:43:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q76kgjt4uokolpcbigkmprw6yfbk4ezjehx2uj3dy3iv6qynnrma._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
remcos
Create hunting rule
Similar samples:
3d4bfc47bd88ef39e0780482a1b0fde1cd85772ddce25d9905d88d48b5b96a4a
RemcosRAT
65d633afee85962e40015d907d3592c3be64ba11585e3816717b0870849744d9
RemcosRAT
84bb8bba33e1a515260b02421d72da6ad0d685d432c64c572a230337dca28c54
RemcosRAT
929167f47e1116759145eb457f86474a311374373b05b11438ea1222a9e2a8f0
RemcosRAT
+ 4'601 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery persistence rat
Link:
https://tria.ge/reports/241203-r9atjazlay/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Remcos
Remcos family
Malware Config
C2 Extraction:
104.250.180.178:7902
Verdict:
Malicious
Tags:
Win.Dropper.Nanocore-10025638-0
YARA:
n/a
Link:
https://app.threat.zone/submission/325ca639-e60d-4156-9875-6feb3411dae0
Unpacked files
SH256 hash:
8d0e47336c4492dce0675f6b4f35913e3c325a3cd98e59c4c73e545b886f8410
MD5 hash:
95d8b4669a39c10ef74b61fab4c2c982
SHA1 hash:
cb2b04dda50b0a6d91bc6388e59a0106f0bd766b
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
win_remcos_w0
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
Link:
https://www.unpac.me/results/b32f243c-46ce-46fc-bd85-dd59108d7fe0/
Parent samples :
0d89ebfc019f155ecbb5f5fb49dc172741f17de763013f2abb39b9ee3d5cc433
87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
SH256 hash:
6b97dc731c468f0be735a2da3003e1b71f36454c6f7c916999eb218e75e78837
MD5 hash:
8677c29be800d0f3dbe4db777ad3d4eb
SHA1 hash:
75b3e8a8e298d44db8252727ae849c80ece874eb
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/b32f243c-46ce-46fc-bd85-dd59108d7fe0/
Parent samples :
9244463fab1df23ec163c36f7f032245c64f46841f91f139fab5b4fd2b5cd25c
9d3cf8aa8659d98460a62e74027e411f3ae60e84e4782fa2f49197d49b3fe802
87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
SH256 hash:
77ea2f8786235d8d95e69a271aecc57468c616a95ab1de2bb3e267f92af1b0e2
MD5 hash:
d003c2e71047d5bfac8360f7c00449de
SHA1 hash:
71456d253dcc5d7d3693c2ed856ae9bbc79c33b3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b32f243c-46ce-46fc-bd85-dd59108d7fe0/
SH256 hash:
87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
MD5 hash:
18df057d5952c7f5366335ff201849b5
SHA1 hash:
6c421f13a590822d583689221569ceff31f2dbae
Link:
https://www.unpac.me/results/b32f243c-46ce-46fc-bd85-dd59108d7fe0/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87fca3267ca3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments